Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New Cobalt Campaign Targets Russian and Romanian Banks

A new campaign by the Russia-based Cobalt hacking group was observed on August 13, 2018. Cobalt is best-known for targeting financial institutions, and this campaign is no different. Two targets have been identified to date: NS Bank in Russia and Carpatica/Patria in Romania.

A new campaign by the Russia-based Cobalt hacking group was observed on August 13, 2018. Cobalt is best-known for targeting financial institutions, and this campaign is no different. Two targets have been identified to date: NS Bank in Russia and Carpatica/Patria in Romania.

Cobalt has been operating since at least 2016. So far it is credited with the theft of $9.7 million from the Russian MetakkinvestBank; ATM thefts of $2.18 million from Taiwan banks; a SWIFT attack on Russian banks; and more than 200 other attacks on banks in Europe, Thailand, Turkey and Taiwan. Last year it was reported that Cobalt had expanded its range into also targeting government, telecom/Internet, service providers, manufacturing, entertainment, and healthcare organizations, often using government organizations and ministries as a stepping stone for other targets.

A common theme for Cobalt is to start with spear-phishing emails to gain the initial entry. In financial attacks, the emails usually masquerade as other financial institutions or a financial supplier/partner domain to gain the target’s trust.

In an analysis of the new campaign, Netscout’s ASERT researchers show numerous parallels with known Cobalt TTPs and tools — but with one new divergence. One of the phishing emails it has discovered contains two separate malicious URLs. The first is a weaponized Word document, while the second is a binary with a .jpg extension.

The researchers had uncovered two malware samples that connect the new campaign to Cobalt. The first was a JavaScript backdoor that shares functionality with other backdoors. The second is COOLPANTS, a reconnaissance backdoor linked to Cobalt and originally found by researcher Szabolcs Schmidt. The new report notes that COOLPANTS appears to be an evolution of Coblnt — 28 of its 57 functions match under comparison tool Diaphora. Furthermore, COOLPANTS connects to hxxps://apstore[.]info, which Proofpoint describes as a Cobalt C2.

On 13 August 2018, ASERT found a new sample almost identical to COOLPANTS. It was compiled at the same time on 1 August 2018. Its 48 functions match those in COOLPANTS under the ‘Best Match’ tab in Diaphora. This sample, however, has rietumu[.]me as its C2. Inspecting rietumu[.]me, ASERT found the email address, solisariana[@]protonmail[.]com. Pivoting from this address, it found five more new domains all created on 1 August 2018.

The domains are compass[.]plus; eucentalbank[.]com; europecentalbank[.]com; inter-kassa[.]com; and unibank[.]credit. Each one is clearly designed to masquerade as the domain of a financial services organization. The real Interkassa, for example — and according to its genuine website — is a payments processing firm based in Ukraine.

The researchers used the inter-kassa domain and searched for samples. They found a spear-phishing email that bears all the hallmarks of a Cobalt campaign, dated 2 August 2018. It is addressed to bulavina AT ns-bank DOT ru and sent by “Interkassa” <denis AT inter-kassa DOT com>. Interestingly, LinkedIn lists a Denys Kyrychenko as co-owner and CTO of Interkassa.

It is this email that provides two embedded malicious links. One calls a weaponized Word document with an embedded VBA script. If macros are allowed, the script generates a cmd.exe command that launches cmstp.exe with an INF file. The INF file beacons back to the C2 to download a payload that is executed by cmstp.exe.

The eventual JavaScript backdoor — named ‘more_eggs’ — is almost identical to the backdoor analyzed by Trend Micro this time last year and attributed to Cobalt. Both provide five commands that essentially allow attackers to take over an infected system. 

These commands are d&exec (downloads and executes a PE file); more_eggs (downloads an update for itself); gtfo (deletes itself and related registry entries); more_onion (executes the ‘new’ copy of itself); and vai_x (executes a command via cmd). Only the last command differs between the two versions, with the earlier one having the name more_power for vai_x.

The second URL in the spear-phishing email, with a dot-jpg filename, downloads an executable rather than an image file. This also ultimately beacons to its C2 server, which was not — at the time of analysis — responding. 

ASERT is confident that this, and another campaign discovered by Intel471 targeting Romanian carpatica[.]ro by masquerading as Single Euro Payments Area (SEPA), are both the work of the Cobalt group. Only the use of two separate infection points in one email with two separate C2s makes this campaign unusual. “One could speculate that this would increase the infection odds,” comments the report — for example, if Word macros are successfully disallowed by the target, he or she might still succumb to the disguised jpg.

“ASERT believes,” says the report, “Cobalt Group will continue targeting financial organizations in Eastern Europe and Russia based on the observables in this campaign and their normal modus operandi.” It is worth mentioning that Trend Micro has suggested that COBALT starts by targeting Russia and the old USSR states to test out its methodology before moving on to European and other targets.

ASERT is the threat intelligence team of Arbor Networks, which is the security division of NETSCOUT.

Related: Dark Web Chatter Helpful in Predicting Real World Hacks, Firm Says 

Related: Russia-linked Hackers Exploit Lojack Recovery Tool in Attacks 

Written By

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.